Security Quest #13: Microsoft Patch Tuesday

Yesterday was patch Tuesday for December and Microsoft released seven security bulletins. There weren’t any Office updates but there were updates for all supported OS’s – Windows 2000 Professional SP4 to Windows XP SP2, and Windows Vista – along with updates for Internet Explorer 6 and IE 7. All the updates are available through Automatic Updates or the Microsoft web site. Microsoft has said that exploits for the IE vulnerabilities are already being used. Click the bulletin number to go directly to the MS bulletin. I do not mention server OS’s when saying what OS the patch is for, only desktop OS’s and app’s.

MS07-063 is for Windows Vista, including the 64-bit version, and is rated as Important. The vulnerability could allow remote code execution but it’s mitigated by the fact that SMB2 is off by default and not used when connecting to previous OS’s (like Windows XP).

MS07-064 is for DirectX 7 and 8 on Windows 2000; DirectX 9 on Windows 2000, Windows XP and Windows Vista; DirectX 10 on Windows Vista. The patch is rated Critical on all systems.

MS07-065 is for Windows 2000 Pro and Windows XP. It’s rated as Important on Windows 2000 and Moderate on Windows XP. An attacker that already has valid logon credentials could elevate their privileges.

MS07-066 is for Windows Vista, including 64-bit, and is rated as Important. The vulnerability could allow the elevation of privileges.

MS07-067 is for Windows XP and it’s rated as Important. It also allows privilege elevation.

MS07-068 is for Windows 2000, Windows XP and Windows Vista and it’s rated as Critical. The patch varies based of the version of the Windows Media Format Runtime that is installed and isn’t OS specific. The vulnerability can allow remote code execution.

MS07-069 is the always expected Internet Explorer Cumulative update and is for Internet Explorer 6 and Internet Explorer 7 on Windows 2000, Windows XP and Windows Vista. And also for Internet Explorer 5.01 on Windows 2000. It’s rated as Critical on all desktop OS’s.

I run a basic (no additional software) Windows Vista Ultimate VM and it updated without a problem. The same for a basic Windows XP SP2 VM I also run. The updates were installed through Automatic Update.